{
  "id": "multi-namespace",
  "title": "Manage databases in multiple namespaces",
  "url": "https://redis.io/docs/latest/operate/kubernetes/7.8.4/re-clusters/multi-namespace/",
  "summary": "Redis Enterprise for Kubernetes allows you to deploy to multiple namespaces within your Kubernetes cluster. This article shows you how to configure your Redis Enterprise cluster to connect to databases in multiple namespaces",
  "content": "\nMultiple Redis Enterprise database resources (REDBs) can be associated with a single Redis Enterprise cluster resource (REC) even if they reside in different namespaces.\n\nTo learn more about designing a multi-namespace Redis Enterprise cluster, see [flexible deployment options]().\n\n Multi-namespace installations don't support Active-Active databases (REAADB). Only databases created with the REDB resource are supported in multi-namespace deployments at this time.\n\n## Prerequisites\n\nBefore configuring a multi-namespace deployment, you must have a running [Redis Enterprise cluster (REC)](). See more information in the [deployment]() section.\n\n## Create role and role binding for managed namespaces\n\nBoth the operator and the RedisEnterpriseCluster (REC) resource need access to each namespace the REC will manage. For each **managed** namespace, create a `role.yaml` and `role_binding.yaml` file within the managed namespace, as shown in the examples below.\n\nThese will need to be reapplied each time you [upgrade](). \n\nReplace `\u003crec-namespace\u003e` with the namespace the REC resides in.\nReplace `\u003cservice-account-name\u003e` with your own value (defaults to the REC name).\n\n`role.yaml` example: \n\n```yaml\nkind: Role\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n  name: redb-role\n  labels:\n    app: redis-enterprise\nrules:\n  - apiGroups:\n      - app.redislabs.com\n    resources: [\"redisenterpriseclusters\", \"redisenterpriseclusters/status\", \"redisenterpriseclusters/finalizers\",\n                \"redisenterprisedatabases\", \"redisenterprisedatabases/status\", \"redisenterprisedatabases/finalizers\",\n                \"redisenterpriseremoteclusters\", \"redisenterpriseremoteclusters/status\",\n                \"redisenterpriseremoteclusters/finalizers\",\n                \"redisenterpriseactiveactivedatabases\", \"redisenterpriseactiveactivedatabases/status\",\n                \"redisenterpriseactiveactivedatabases/finalizers\"]\n    verbs: [\"delete\", \"deletecollection\", \"get\", \"list\", \"patch\", \"create\", \"update\", \"watch\"]\n  - apiGroups: [\"\"]\n    resources: [\"secrets\"]\n    verbs: [\"update\", \"get\", \"read\", \"list\", \"listallnamespaces\", \"watch\", \"watchlist\",\n            \"watchlistallnamespaces\", \"create\",\"patch\",\"replace\",\"delete\",\"deletecollection\"]\n  - apiGroups: [\"\"]\n    resources: [\"endpoints\"]\n    verbs: [\"get\", \"list\", \"watch\"]\n  - apiGroups: [\"\"]\n    resources: [\"events\"]\n    verbs: [\"create\"]\n  - apiGroups: [\"\"]\n    resources: [\"services\"]\n    verbs: [\"get\", \"watch\", \"list\", \"update\", \"patch\", \"create\", \"delete\"]\n```\n\n`role_binding.yaml` example:\n\n```yaml\nkind: RoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n  name: redb-role\n  labels:\n    app: redis-enterprise\nsubjects:\n- kind: ServiceAccount\n  name: redis-enterprise-operator\n  namespace: \u003crec-namespace\u003e\n- kind: ServiceAccount\n  name: \u003cservice-account-name\u003e\n  namespace: \u003crec-namespace\u003e\nroleRef:\n  kind: Role\n  name: redb-role\n  apiGroup: rbac.authorization.k8s.io\n```\n\nApply the files, replacing `\u003cmanaged-namespace\u003e` with your own values:\n\n```sh\nkubectl apply -f role.yaml -n \u003cmanaged-namespace\u003e\nkubectl apply -f role_binding.yaml -n \u003cmanaged-namespace\u003e\n```\n\n\nIf the REC is configured to watch a namespace without setting the role and role binding permissions, or a namespace that is not yet created, the operator will fail and halt normal operations.\n\n\n\n## Update Redis Enterprise operator ConfigMap\n\nThere are two methods of updating the operator ConfigMap (`operator-environment-config`) to specify which namespaces to manage.\n\n- Method 1: Configure the operator to watch for a namespace label and add this label to managed namespaces (available in versions 6.4.2-4 or later).\n- Method 2: Configure the operator with an explicit list of namespaces to manage.\n\nYou can create this ConfigMap manually before deployment, or it will be created automatically after the operator was deployed.\n\n\n### Method 1: Namespace label (available in versions 6.4.2-4 or later)\n\n1. Create the `cluster_role_binding.yaml` and `cluster_role.yaml` files. Replace the `\u003crec-namespace\u003e` with the namespace the Redis Enterprise cluster (REC) resides in.\n\n  `operator_cluster_role.yaml` example:\n\n  ```yaml\n    apiVersion: rbac.authorization.k8s.io/v1\n    kind: ClusterRole\n    metadata:\n      name: redis-enterprise-operator-consumer-ns\n      labels:\n        app: redis-enterprise\n    rules:\n      - apiGroups: [\"\"]\n        resources: [\"namespaces\"]\n        verbs: [\"list\", \"watch\"]\n  ```\n\n  `operator_cluster_role_binding.yaml` example:\n\n  ```yaml\n    kind: ClusterRoleBinding\n    apiVersion: rbac.authorization.k8s.io/v1\n    metadata:\n      name: redis-enterprise-operator-consumer-ns\n      labels:\n        app: redis-enterprise\n    subjects:\n    - kind: ServiceAccount\n      name: redis-enterprise-operator\n      namespace: \u003crec-namespace\u003e\n    roleRef:\n      kind: ClusterRole\n      name: redis-enterprise-operator-consumer-ns\n      apiGroup: rbac.authorization.k8s.io\n  ```\n\n2. Apply the files.\n\n  ```sh\n  kubectl apply -f operator_cluster_role.yaml\n  kubectl apply -f operator_cluster_role_binding.yaml \n  ```\n\n3. Patch the ConfigMap in the REC namespace (`\u003crec-namespace\u003e`) to identify the managed namespaces with your label (`\u003clabel-name\u003e`).\n\n  ```sh\n   kubectl patch ConfigMap/operator-environment-config \\\n  -n \u003crec-namespace\u003e \\\n  --type merge \\\n  -p '{\"data\": {\"REDB_NAMESPACES_LABEL\": \"\u003clabel-name\u003e\"}}'\n  ```\n\n4. For each managed namespace, apply the same label. Replace `\u003cmanaged-namespace\u003e` with the namespace the REC will manage. Replace `\u003clabel-name\u003e` with the value used in the previous step. If you specify a value for `\u003clabel-value\u003e`, both the label name and value in managed namespaces must match to be detected by the operator. If the `\u003clabel-value\u003e` is empty, only the label name needs to match on managed namespaces and the value is disregarded.\n\n\n  ```sh\n  kubectl label namespace \u003cmanaged-namespace\u003e \u003clabel-name\u003e=\u003clabel-value\u003e\n  ```\n\n\nThe operator restarts when it detects a namespace label was added or removed.\n\n\n### Method 2: Explicit namespace list\n\nPatch the `operator-environment-config` in the REC namespace with a new environment variable (`REDB_NAMESPACES`).\n\n```sh\nkubectl patch ConfigMap/operator-environment-config \\ \n-n \u003crec-namespace\u003e \\\n--type merge \\\n-p '{\"data\":{\"REDB_NAMESPACES\": \"\u003ccomma,separated,list,of,namespaces,to,watch\"}}'\n```\n\n\nOnly configure the operator to watch a namespace after the namespace is created and configured with the role/role_binding as explained above. If configured to watch a namespace without setting those permissions or a namespace that is not created yet, the operator will fail and not perform normal operations.\n\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-04-08T12:21:52-07:00"
}